incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Malte Timmermann <malte_timmerm...@gmx.com>
Subject Re: Population of ooo-security
Date Thu, 28 Jul 2011 10:06:30 GMT
After initiating the OOo security team 5 years ago, and doing most of 
the coordination stuff for OOo security fixes, please let me allow to 
state my pov wrt ooo-security :)

ooo-security is _not_ a mailing list where all people interested in 
security related stuff can discuss fancy things.

ooo-security is about confidential stuff, and must be a closed list. The 
number of subscribers should be kept low.

The reasons why somebody should be allowed to be on ooo-security are:

- People responsible for handling security issues.
   This includes people who communicate with the security researches who
   report vulnerabilities, and people doing security analyzes and fixes.
   For the fixes it might happen that they involve others, who better
   know the code. So it may happen that many more people will work on
   security issues than are subscribed to the list. Everybody who knows
   a bigger chunk of code might need to do some security fix some time,
   but that doesn't mean that all these people should be subscribed to
   the list.

- People responsible for the security of related products.
   People from products based on AOOo might need to do the same or
   similar fixes in their product, or even might want to help fixing the
   issue in the base product.
   This definitively includes people from LibreOffice!

- People responsible for providing patches or updated program versions
   In the OOo Security Team, we have from most Linux distros someone
   from their security team, so they know about the issues and can
   prepare for updates.

- People responsible for writing security bulletins
   Once AOOo is a real product, we need to get CVEs for security issues
   and need to write and publish security bulletins.

First we should get the right people on the list who work in the first 2 
areas. As long as we don't have a product, we don't need security 
bulletins. Also we only need to add security people from the distros 
once they ship vanilla AOOo. When they continue shipping LibO, they only 
need to be on the LibO security list.

It's not clear to me whether or not all people must be commiters for 
some reason. With "people responsible for the security of related 
products", I have the feeling they shouldn't need to be commiters.

 From the people on the current OOo security team, there are (iirc) only 
2 people beside myself who regularly worked on fixes for security 
issues: Caolan McNamara and Rene Engelhard. I would like to add them to 
ooo-security. They are also in the LibO security team, so adding them 
should give enough LibO coverage.

Malte.



On 28.07.2011 09:18, Florian Effenberger wrote:
> Hello,
>
> Rob Weir wrote on 2011-07-28 04:08:
>> -1. This is the project's private security list, with only a subset
>> of the PPMC on it. We should not have 3rd parties signed up on it.
>
> that would mark a negative change in the way things are handled. Since
> the beginning of LibO, we have also been collaborating with the
> OpenOffice.org folks on security and vice versa, and from what has been
> discussed the last weeks on those private lists, I got the impression
> that everyone involved wanted to keep that good spirit and cooperation,
> as it has shown to be beneficial for both sides.
>
> I second André and Drew in their opinion that this is actually one of
> the areas, where cooperation is very easily possible, so IMHO, we
> shouldn't waste that chance.
>
> Florian
>


Mime
View raw message